Open rajatgeminus opened 3 weeks ago
One option you could use is the Process Supervisor Mode: https://developer.hashicorp.com/vault/docs/agent-and-proxy/agent/process-supervisor
This mode injects secrets as environment variables and can be configured to restart the process it's supervising when a new secret is present in a rendered template.
If you're using file templating, it's somewhat up to the client application how it wants to monitor its own config files. Ultimately, this issue will exist however new config is provided to your application. I know some frameworks can deal with this kind of thing automatically, but the recommended approach will depend largely on how your application reads its config -- there's no one-size fits-all recommendation for every language/framework since e.g. SpringBoot might want to handle this differently than a framework-less Java.
A watcher on the file that updates things if there are changes in the file seems like a pretty reasonable solution to me. Agent will only ever update files if there are new values.
Hi,
I’m working on integrating HashiCorp Vault into our application using Vault Agent for authentication. The initial setup works well, where the application reads the Vault token from a file generated by Vault Agent and uses it to authenticate with the Vault server.
However, I’m concerned about handling scenarios where the token’s max TTL is reached, and a new token is generated by Vault Agent.
Currently, our application reads the token once during initialization and uses it for subsequent operations. If the token expires and a new one is generated, the application wouldn’t automatically know about the new token, which could lead to failed operations.
To address this, I am thinking to implement a file watcher that monitors the token file for changes. When a new token is generated, the watcher reloads the token and updates the Vault client. While this seems to work in theory, I want to ensure that we’re following best practices and not missing any important considerations.
Here are the specific questions I have:
I’d appreciate any feedback or suggestions on improving this implementation.